Configuring a security policy for a VDOM
Your security policies can involve only the interfaces, zones, and firewall addresses that are part of the current VDOM, and they are only visible when you are viewing the current VDOM. The security policies of this VDOM filter the network traffic on the interfaces and VLAN subinterfaces in this VDOM.
A firewall service group can be configured to group multiple services into one service group. When a descriptive name is used, service groups make it easier for an administrator to quickly determine what services are allowed by a security policy.
In the following procedure, it is assumed that a VDOM called Client2 exists. The procedure will configure an outgoing security policy. The security policy will allow all HTTPS and SSH traffic for the SalesLocal address group on VLAN_200 going to all addresses on port3. This traffic will be scanned and logged.
To configure a security policy for a VDOM - web-based manager
1. In Virtual Domains, select the client2 VDOM.
2. Go to Policy & Objects > Policy.
3. Select Create New.
4. Enter the following information and select OK:
Incoming Interface | VLAN_200 |
Source Address | SalesLocal |
Outgoing Interface | port3 |
Destination Address | any |
Schedule | always |
Service | Multiple - HTTPS, SSH |
Action | ACCEPT |
Log Allowed Traffic | enable |
To configure a security policy for a VDOM - CLI
config vdom
edit Client2
config firewall policy
edit 12
set srcintf VLAN_200
set srcaddr SalesLocal
set dstintf port3(dmz)
set dstaddr any
set schedule always
set service HTTPS SSH
set action accept
set status enable
set logtraffic enable
end
end